Parsia-Clone

Contains (almost) everything the real Parsia has.

4 minute read - Abandoned Research

BMC Track It 11.2

Github Link

BMC Track It 11.2

Download BMC Track It 11.2 from CNET. http://download.cnet.com/BMC-Track-It/3000-18482_4-10003961.html?tag=bc

Disconnect your VM from the internet because you don’t want to be vulnerable.

First we install it. After installation:

Low and behold we have something listening on port 9010 (on all interfaces).

PS C:\> netstat -an | findstr.exe "9010"
  TCP    0.0.0.0:9010           0.0.0.0:0              LISTENING
PS C:\>

pic01

But now we have the problem of finding the module that is listening on port 9010.

For that we can use the b switch for netstat which needs an admin powershell window or command prompt.

PS C:\> netstat -ab

Active Connections
  Proto  Local Address          Foreign Address        State
  ...

 TCP    0.0.0.0:5357           x64-PC:0               LISTENING
 Can not obtain ownership information

  TCP    0.0.0.0:6712           x64-PC:0               LISTENING
 [TIHost.exe]

  TCP    0.0.0.0:9010           x64-PC:0               LISTENING
 [TIServiceManagement.exe]

  TCP    0.0.0.0:49176          x64-PC:0               LISTENING
 [sqlservr.exe]

  TCP    127.0.0.1:49176        x64-PC:49519           ESTABLISHED
 [sqlservr.exe]

  TCP    127.0.0.1:49519        x64-PC:49176           ESTABLISHED
 [TIServiceManagement.exe]
   ...

So we have two open ports 6712 and 9010.

We can see that they are running as SYSTEM according to this screenshot from task manager.

pic02

And one is a service.

[pic03]

At this point we do not know what is running on port 5357 but if we telnet to it we will see some familiar response:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 28 Oct 2015 01:35:23 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>

Connection to host lost.

This is interesting, but not what we are looking for. Maybe we will come back to it later.

Connect to localhost:9010 with telnet or your browser and observe the error message which indicates that we are on the right track.

.NET..........System.Runtime.Remoting.RemotingException: Tcp channel protocol violation: expecting preamble.
   at System.Runtime.Remoting.Channels.Tcp.TcpSocketHandler.ReadAndMatchPreamble()
   at System.Runtime.Remoting.Channels.Tcp.TcpSocketHandler.ReadVersionAndOperation(UInt16& operation)
   at System.Runtime.Remoting.Channels.Tcp.TcpServerSocketHandler.ReadHeaders()
   at System.Runtime.Remoting.Channels.Tcp.TcpServerTransportSink.ServiceRequest(Object state)
   at System.Runtime.Remoting.Channels.SocketHandler.ProcessRequestNow()

Connection to host lost.

Navigate to C:\Program Files (x86)\BMC Software\Track-It!\Track-It! Services which contains the TIServiceManagement.exe executable and look inside the config file TIServiceManagement.exe.config.

<appSettings>
    <add key="ConfigurationRemotingChannel" value="tcp" />
    <add key="ConfigurationRemotingHost" value="x64-PC" />
    <add key="ConfigurationRemotingPort" value="9010" />

    <!--Remoting Services Manager-->
    <add key="RemotingServiceClass" value="TrackIt.Core.ServiceManagement.ServiceManagementImpl.ServiceManagementServer,TrackIt.Core.ServiceManagement.ServiceManagementImpl" />
    <add key="RemotingServiceName" value="TIServiceManagement" />
    <add key="RemotingServiceDisplayName" value="Track-It! Service Management" />
    <add key="RemotingServiceDescription" value="Manages services instances deployed on this host." />
    <add key="SystemHealth:SystemHealthConfiguration:TrackIt.Core.Configuration.MultisourceConfigurationImpl.DatabaseConfigurationSource" value="Database source" />
</appSettings>

Look at Properties > Details for TIServicemanagement.exe and we will see that the file description is RemotingServicesManager as well as its original filename.

[pic04]

Here’s the thing, we can open the file in dnSpy and poke around but let’s cut the chase and look at the local traffic.

To capture local traffic [link to the capturing local traffic blog post] we will use RawCap. Run RawCap, start capturing on the pseudo loopback interface. Now start the application and login. The demo user does not have a password.

[pic05]

And we can see the contents (well the printable parts) by using Follow TCP Stream.

[pic06]

We have seen the first request before (I have filtered out a lot of non-printable characters unless they are needed and we are going to talk about them).

.NET 3 tcp://x64-PC:9010/TrackIt.Core.ConfigurationService.

Second request

GetProductDeploymentValues TrackIt.Core.Configuration.IConfigurationSecureDelegator, TrackIt.Core.Configuration, Version=11.2.0.345, Culture=neutral, PublicKeyToken=null

As we have seen before [link to the first .NET remoting post] we can find the DLL and the object that is being called remotely.

Remote function: GetProductDeploymentValues
Function class: TrackIt.Core.Configuration.IConfigurationSecureDelegator
DLL: TrackIt.Core.Configuration

The application that called the remote object is C:\Program Files (x86)\BMC Software\Track-It!\Track-It! Server\Installers\TechnicianClient\en\TechnicianClient_11_2_0_345\TechnicianClient.exe. The DLL is question is in the same address.

[pic07]

These look to be the list of all exposed functions. GetFileContent looks nice.

[pic7.5]

Now we want to know when it is called. If we remember from .NET Remoting primers we know that an instance of this function will be created and sent over. Rightclick the function and select Analyze and a panel appears. In the panel select Used By. This shows every where in loaded binaries (executables and DLLs) that this function is used. In case it is in the same DLL (TrackIt.Core.Configuration.dll) and the function is TrackIt.Core.Configuration.ConfigurationInterceptor. GetProductDeploymentValues(). Pretty handy neh?

[pic08]

Let’s put a breakpoint here and run TechnicianClient.exe in dnSpy. Now if we want to see how we got here we can use Debug (menu) > Show Call Stack. Isn’t this nice?

[pic09]

Now if we step into three times, we will reach the familiar code base in mscorlib.dll at CommonLanguageRuntimeLibrary.System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke.

[pic10]

type equals 1 so the if statement will be true, now if we step until we after line 408 or message = expr_14; (remember that breakpoints set here will not trigger). We can inspect the variable message and see the method being called and its arguments if it had any (remember that Alt+4 will open the Locals panel.

[pic11]

Great, now we have a decent idea of what is happening here with regards to .NET Remoting. If we go to the C:\Program Files (x86)\BMC Software\Track-It!\Track-It! Services directory we will see the a similar set of DLLs (both caller and callee have a copy of methods). In this case the DLL is TrackIt.Core.Configuration.dll

[pic12]

We can use this DLL to create our own app that connects to the service and does stuff.